FDPPI completes online Examination for the second batch of Certification

On May 3, 2020, FDPPI conducted the online examination for the second batch of professionals who took the examination for “Certified Data Protection Officer-Module-I”. A total of 23 persons took the examination.

Some of the participants have opted to take an improvement examination and the results would be collated after the completion of the process.

We congratulate all the participants for their effort.

FDPPI is now preparing to plan for conduct of Module-G which covers the global laws. In this module the coverage will include the knowledge of GDPR, CCPA and Singapore PDPA in particular.

At the end of Module-G, those who complete Module-I and Module G should be the minimal awareness of the major data protection laws that are relevant for an Indian DPO working in an environment where personal data is gathered from multiple countries.

CDPO (M-I+M-G) is aimed to be comparable to the existing international certifications which can be  completed at a more affordable cost.



Posted in Uncategorized | Leave a comment

Some Queries on PDPA answered

Today (30th April 2020) there was an interesting webinar by Justice B N Srikrishna on the Personal Data Protection Act. A detailed report on the webinar has been provided in www.naavi.org. In the well attended webinar where more than 890 people were on board the Zoom platform which remained perfectly stable, several questions were raised by the participants and due to the paucity of time Justice Srikrishna was not able to answer them.  To build the general knowledge base, the questions have been picked up and answered here. I hope it would be useful.

Q 1:  What is the punishment under PDPA for illegal transfer of data

Answer: PDPA is basically a legislation to promote proactive compliance  of measures that would help in protection of Privacy through “Information Privacy”. It therefore prescribes restrictions on transfer of data outside India. If this is contravened, there could be civil penalties to the extent of 4% of the total worldwide turnover of the data fiduciary or Rs 15 crore which ever is higher. (In case of Government organizations the penalty is limited to Rs 5 crore). No criminal punishment is envisaged for this contravention.

Q 2: What is the punishment for taking data in the name of investigation and sovereignty of India

Answer: Misuse of law by law enforcement and the Government agencies due to political and other influences cannot be fully prevented by law alone. However when the law has provided some powers under certain conditions and it is used in a situation where the conditions are not fulfilled, the act would become an “Unauthorized Action”.

In such cases the law enforcement person or the Government employee however he is can be charged of “Unauthorized Access”, “Unauthorized diminution of the value of the information” which are cognizable offences under ITA 2000 (Information Technology Act 2000) as well as some provisions under IPC. The difficulty of bringing such influential persons to answer the law and the problem of delays tin court proceedings are hurdles for which the system has to take responsibility.

Q3: The Right to be forgotten has been truncated in PDPB compared to GDPR. Why?

The rights provided under PDPB is not truncated compared to GDPR. The Right to Access, Right to Correction, Right to Portability and Right to Forget are all available in Indian law as well as GDPR.

The only distinction is that the “Right to Forget” can be exercised only after clearance from the Adjudicator. This is a welcome step to ensure that criminals donot take advantage to remove the traces of crime and evidence.

Q4: What would be the impact of GDPR on Indian Companies post PDPA?

GDPR applies to personal data collected from the EU region or profiling done in the EU region. PDPA applies to personal data collected from the Indian region or profiling done in Indian region.

Indian law has also recognized the need to provide exemption on specific notification when EU personal data is processed in India by an Indian Data Processor under a contract from the EU Data Controller.

Hence there is no overlapping of GDPR with PDPA.

Q5: How do we cover Data Privacy in the current scenario before the Act becomes effective?

PDPA is conceived as an extension of ITA 2000. Presently there is Section 43A of ITA 2000 which provides obligations to “Body Corporates” to follow “Reasonable Security Practice”. The Reasonable Security Practice includes the best industry practices and the contractual obligations. Now the best industry practice represented as “Due Diligence” covers the entire PDPB. Hence we already have a legal framework to impose penalties under ITA 2000 though we may not have a DPA mechanism or 2% or 4% penalty regime.

ITA 2000 also has provisions under Section 43 linked to Section 66 as well as Section 72A, Section 67C, Section 69, 69A, 69B and 70B all of which impose different responsibilities of data protection which includes personal data protection and covers both civil and criminal penalties.

Hence we already have a law which will get refined and get a better implementation mechanism after PDPB becomes PDPA

Q 6: Would Targeted Ads on Social Media Sites is “Breach of Privacy”?

Privacy is breached when personal information of a data subject is used without his consent. Targetted Ads is an indication that the profile of the individual has been created by the advertiser.

It is possible that the profile might have been created out of information shared by the individual with consent. Alternatively the profiling might have been accidental or related to the environment.

For example, if a person visits open the Zomato app, and an advertisement of a restaurant appears, it is because the Zomato environment has been branded as a place visited by some body who is on the look out for a hotel.

If however the individual is on twitter discussing politics but he gets an ad related to a computer which he had explored for purchasing on Amazon yesterday, there is an indication that Amazon has shared the information to the ad serving company.

Perhaps Amazon has already taken the “Implied Consent” of the individual as part of the terms and conditions. If we donot like it, we can check back on the terms of Amazon and decide whether you should continue to use Amazon or not.

When it comes to applying data protection laws, apart from checking on the consent, we need to check what harm has been committed in the process other than the ad being shown (as long as it is not obscene or inducing disharmony etc).

Q 7:  What is the difference between the Data Fiduciary and the Data Processor?

Both the Data Fiduciary and the Data Processor, undertake activities of “Processing” which may include collection, storing, transmission, aggregation etc. But the Data Processor does not take an independent decision on the “Purpose” and “Means of Processing”. Data Fiduciary decides what to do with the personal data and how it has to be processed. In most cases, the personal data is collected by the Data Fiduciary after obtaining the consent since he known the purpose of collection. Occassionally, he may engage the services of another (Data Processor) who collects the personal data based on the consent requirement that is mandated by the Data Fiduciary.

As long as the Data Processor remains a faithful follower of the Contract of Processing, he remains a Data Processor. If he starts using his discretion, he would be taking on the role of a “Co-Data Fiduciary”.

Law makes Data Fiduciary mostly responsible for following the data protection principals, honouring the data principal’s rights, security etc. because he is responsible for the way data is processed.  The Data Processor is mainly responsible for security and faithful following of the contractual obligations. He does not have a discretion to act as he likes. Hence there is a difference in the liability of the two.

In any practical case, distinguishing the roles is important and often complicated.

Q 8: Why is Password not part of the data protection regime?

Password has been omitted from the list of Sensitive Personal Information. But it is still part of the security that both the Data Fiduciary and the Data Processor are responsible.

Also, India has other means of authentication such as Digital Signatures which are legally recognized while Password is only a business convenience. All authentication methods are part of the Security requirements and passwords alone cannot be added as sensitive, unless all “Access Credentials” by whatever name they are called including “Encryption and Decryption keys”  are brought into the higher level of security.

Q 9: If personal data is stored outside India, will there be a Jurisdictional issue?

Yes. It is for this reason that the law enforcement is pressing for “Data Localization” or atleast for a copy of the data to be kept in India.

Data Localization is also an economic benefit to the country as it would boost the data storage industry and the eco system around it.

Presently only sensitive information needs to be retained in India as a copy. Critical data alone is prohibited for transfer. Personal data can be freely transferred.

Q 10: What happens to data stored prior to the act becoming effective

In the absence of any specific direction in this regard from the DPA, it would be necessary for organizations to renew the consent on legacy personal data or purge them.

Q 11: Is a separate law required for Community data?

PDPA covers the law regarding an individual’s personal data. If there is a personal data of a group of persons then that data belongs to all of them jointly and severally. The right should be shared.

What Justice Srikrishna called as “Community data” in the report was data such as Google Maps which were contributed by many individuals but collectively exploited by a commercial entity. He felt that this belongs to the category of “Non Personal Data” but is an aggregation of personal data  collection, de-identified to some extent. Such data may also come up in Smart Cities and IoTs.

It would have been possible to include regulation of such data in PDPA but since it may involve other technology related dimensions, perhaps the Srikrishna Committee felt that it was beyond the scope of what the Supreme Court expected a Personal Data Protection act could do.

We can wait and see what Kris Gopalakrishna committee on Data Governance framework may suggest in this regard.

Q 12: There is X company having Co-location data center in India. Will the laws of X Country apply?

This sort of a situation presents a difficult legal proposition. The “Data” is processed in devices physically located in India but it relates to individuals whose “Privacy” or any other right is protected under the laws of that country. Hence both country’s laws have an impact.

PDPA has however tried to overcome this dilemma by making a provision that if personal data of foreign citizens is being processed in India (Whether through servers owned by a foreign entity or an Indian entity), then such facility can be notified as exempt from Indian PDPA. This eases the problem of foreign entities using India for establishing their data centers.

Q 13: What is the Sprinklr Scam?

Sprinklr is a US Company engaged in Data Analytics. Kerala Government used the services to process the data of Covid patients to track the people infected, the progress of the infections in the state etc.

Initially a form was provided on the portal of the Company where information could be entered by the public or the health workers. Later a separate website was opened under a domain name of the Kerala Government in which the form was hosted.

There was also a political objection raised by Congress party in Kerala that the contract was not properly awarded after evaluation and there was some favouritism involved in awarding the contract. The contract was for free for 6 months which could be either considered as a favour done to the Government or that the data was of such value that processing fee was waived.

From the perspective of the Privacy, the absence of proper data protection contract, the possibility of sensitive data being used by a foreign agency, the fact that dispute resolution was subject to the New York Jurisdiction (like many other web based contracts) were raised. The Kerala High Court has given an interim order stating that only “Anonymized” personal data should have been shared and not what the Government did.

More than the “Scam” angle what is relevant is that this case has underscored the need for the PDPA to be made effective as soon as possible so that erring companies face regulatory supervision.

Q 14: What will happen to the Copyright of one data fiduciary when porting is requested?

In the event porting of personal data along with the profile built over the information provided by him involves revealing of any trade secret, the Data Fiduciary can contest the porting in full and also approach the Adjudicator if required.

This problem underscores the need to understand the nature of data and its lifecycle in an organisation and how law may have to be modified in its application at different points of time.

Q 15: Will a consent taken through EULA be valid?

While certain aspects of privacy related consent can be obtained in the EULA, the “Notice” and “Consent” has to be taken in such a manner that the data principal understands the context in which the permissions are asked for and taken.

When sensitive personal information is involved in the processing, explicit consent is necessary. Even in other cases where implicit consent may suffice, taking it through EULA would not provide the appropriate focus to the Privacy protection.

It is therefore recommended that Privacy Notice should be properly highlighted even when taken along with the terms of service and there is no scope for the data principal being confused with extraneous aspects.

Q 16: What happens to the data in a Company which is amalgamated with another Company?

In amalgamations or acquisitions, the entity survives in a new capacity and the data gets transferred like any other property to the amalgamated entity. Acquisitions are therefore a way of buying data if it is a valuable asset.

One classic example is the case of CIBIL which was acquired by TransUnion and was renamed as TransUnion CIBIL. With this acquisition, Transunion which earlier had a share holding of 10% raised its shareholding to 92.1% and in the process 600 million sensitive data sets of Indian Citizens and 32 million data sets of businesses came under the control of the US Company.

At present PDPA does not address such “Data Laundering” directly. In fact Consent is exempted in cases of Credit Scoring for collection of non sensitive data. However the organization like Trans Union CIBIL would be considered as a “Data Fiduciary” and would be subject to the authority of DPA to conduct data audits. The financial data would also be considered as “Sensitive Personal Data” and the company would be considered as a Significant Data Fiduciary.

Q 17: How Would Arogya Setu app reconcile with Privacy?

Arogyasetu is an app floated by the Government to enable tracking of Covid infected patients and preventing them from coming in to close contact with others and spread the infection.

The use of the app as an instrument of public safety would be considered acceptable under the permitted exemption.

The App managers have to however ensure that appropriate consent is obtained, data is properly secured and all compliance measures envisaged under the Act are followed.

Q 18: Government often uses Drones for maintaining public peace and in the process the Drones capture images of people in the street and inside the houses. Does it affect Privacy.

Use of Drones for maintaining vigilance to control riots and to otherwise manage public safety is an exempted use  from Privacy Perspective. Normally Drone would capture images from public space and hence privacy may not be involved. However if any pictures capture within the private property, it may be considered as ” Incidental to the main purpose of keeping vigilance on public street”

Also if a criminal runs away from public space and hides inside a private premises, the doctrine of hot chase should apply to track him and bring him out.

These incidents are special incidents and law has to be treated them as such.

Q 19: When is “Deletion of Data” required under PDPA

Personal data which was collected for a specific purpose should be deleted after the purpose is over. Similarly the Data Principal has a right to demand deletion of data for the purpose of correction and in exercise of his rights of portability and right to forget. Right to forget is however subject to mandatory Adjudication.

Q 20: When does the Breach of Privacy occur?… At the time of collection? or at the time of its use?

Since the law prescribes that personal data shall be collected under a consent, used for a specific purpose etc., breach of the law of privacy can occur at both occassions.

Q 21: Why is it necessary that personal data has to be given to every telephone operator when a data principal wants to open accounts with each of them? Can there not be a centralized data center?

Presently RBI is trying to set up a Centralized KYC system for Banks. Similar system can be used by telecom operators. Besides PDPA has a provision of a “Consent Manager” who can act as a centralized repository of personal data and prevent data duplication and associated multiplicity of risks.

Q 22: Mobile Apps often misuse the permissions given at the time of downloading by taking permission for purposes that are irrelevant. Does PDPA address this.

Mobile App owners are data fiduciaries under PDPA and are bound by all compliance measures envisaged under the Act. This includes purpose specific and purpose limited collection of information. If this is violated fines can be levied at 2% pr 4% of global turnover. The DPA will have power to conduct its own audit. In case of popular Apps, DPA may declare it as a “Significant Data Fiduciary” and an annual data audit from an external data auditor could be mandatory. The Data Principals can also make a complaint directly to the DPA. While the sheer number of Apps may pose their own challenges, there are adequate measures to prevent misuse of permissions at least in case of popular Apps.

Q 23: If some one steals a mobile phone and data from the phone,  is it an offence?

Such offences are already covered under Information Technology Act 2000. What PDPA does is to add penalties to the companies who manage Apps through which personal data is collected and misused when not required for the purpose of the App.

Q 24: Is there any time limit for storage of data in the Bill?

The time limits would be specified through regulations from DPA. Until then it would be guided by the purpose of collection and the legitimate interest of the data fiducairy.

Q 25: As per the bill protection is provided only for natural persons. What happens in the case of dead persons?

The Personal Data Protection Bill tries to protect the Privacy rights of the citizens of India through pro-active measures to be taken by organizations which collect and process personal information.  Hence it is limited to natural persons.

The concept of privacy protection through data protection is being achieved by capturing a choice to the data principal to declare how his/her personal data has to be processed by the person who collects it. This choice is expressed through a document of consent which is like a contract.

Hence in case of a dead person, the Constitutional right such as “Right to Dignified Life and Liberty” ceases to have meaning and there is no way consent of a dead person to considered valid. Hence it is impractical to expect that “Privacy Right” has to be extended to dead persons. Dignity of a dead person in respect of providing a decent cremation etc is not “Privacy”. Secrecy of the affairs of the dead person is also not “Privacy” though it is important for the legal heirs to protect the truth about a dead person becoming public after death.

Hence PDPA as a law to protect Privacy does not address the right of a dead person, though in some other countries like Singapore some rights continue after death for a specific time period.

Some of the service providers like Google or Face Book may consider the information assets of a person in the accounts as some thing which can be revealed to the legal heirs just as the contents of a Bank locker is given to the legal heirs. These are dictated by inheritance rights and not Privacy.

Q 26: When a data fiduciary has transferred the data to a third party data processor and the data principal exercises his right to erasure, how does the data fiduciary manage it?

It is necessary for the data fiduciary to bind the data processors by contract and ensure that at all times the shared data is synchronized not only in cases of deletion but also in cases of correction. This is an essential aspect of compliance.

Q 27: How Will a consent based law work in a country like India where people are illiterate?

The mechanism of Consent Manager is one of the innovative methods that PDPB 2019 has suggested to address such issues.

Q 28: How do we protect recording of telephone calls?

When A is talking to B, a conversation is generated which belongs to both A and B jointly. If either one of them records, it cannot be objected on the grounds of privacy because the data is being disclosed voluntarily.

Only if a third party intercepts the conversation and records, an offence can be recognized and it will be recognized under PDPA for civil compensation and under ITA 2000 for both civil and criminal remedies.

Q 29: Can one use data from someone elses’s phone and use it as evidence?

Yes. Under Indian Evidence Act irrespective of the means of collection of evidence, if it is a fact and has to be produced as evidence, it can be admitted under the relevant procedure such as Section 65B of Indian Evidence Act. If in the process there is any violation of PDPA, then the person should face the consequences parallelly.

Q 30: What would be the time period for implementation of the PDPB?

The Government while passing the Act may specify different time schedule for implementation of different provisions.

(P.S: The views expressed above are the personal views of Naavi based on the interpretation of the current version of the Bill. These could change with the passage of the bill and the issue of clarifications by the Government and/or DPA.  Further questions if any can be sent to FDPPI/Naavi)

Posted in Uncategorized | Leave a comment

Free Program on Privacy Protection through Data Protection by FDPPI

On receipt of several requests, FDPPI intends to conduct a free 30 minute webinar on the “Privacy Protection through Data Protection”. The exact date and time will be finalized shortly.

It could be tentatively held on 15th April 2020 at 11.00 am  provided we have confirmed interest.

Interested persons may indicate by sending their request here by e-mail to fdppi@fdppi.in



Posted in Uncategorized | 7 Comments

Certificate Program to be accelerated

The Course on Certified  Data Protection Professional (CDPP) being conducted with virtual classes from Naavi  was planned to be conducted over 6 weeks with one session each on Saturday’s and Sundays starting from April 4th.

In view of the lock down conditions in the country with most professionals working from home, it has been decided to complete the course of 12 sessions over 3 weeks instead of 6 weeks, by conducting two sessions per day on Saturday’s, and Sundays on April 4, 5, 11,12, 18 and 19th.

The sessions will be conducted between 11.00 AM to 12.30 PM and 3.00 to 4.30 PM on these days.

This program will be called Module-I which is about the Indian laws regarding data protection. This is the foundation module for all Data Protection Professionals. In the coming days, FDPPI will be conducting additional modules such as Module G (Global laws including GDPR), Module T (Technology for Data Protection), Module A (Data Audit) and Module B (Behavioural skills for DPOs).

FDPPI welcomes professionals interested in entering the Data Protection domain to make use of this opportunity to upgrade their skills and knowledge and be ready before the Companies will be  looking out for professionals with the right attitude, knowledge and skills to take over the responsibility as DPOs.


Posted in Uncategorized | 2 Comments

First Certificates of CDPP given away at Chennai


The first Certificates of the CDPP course conducted in December 2019-February 2010 were given to Mr Durai Kannaiyan and Mr Nikhil Ranjan Nayak in a function in Chennai on 14th March 2020, by the honurable guests Justice K.N. Basha and M.P. Mr P.Wilson.

They were two of the nine persons who successfully completed the certification program. Two others are from Mumbai and Five others are from Bangalore.

The successful candidates were:

M/S Durai Kannaiyan, Nikhil Ranjan Nayak from Chennai, Mr Anil Chiplunkar and Bondiah Adepu from Mumbai , Mr Suresh Balepur, Rajesh Kumar, Vasanthika Srinath, Suma Nagraja and V.K.Jyothi from Bangalore.

FDPPI conveys its hearty congratulations to all these professionals who got certified through the rigorous certification program conducted over a three moth period under the supervision of Sri Na.Vijayashankar, (Naavi) Chairman of FDPPI and the Director of Cyber Law College.


Posted in Uncategorized | Leave a comment

Registrations for the CDPP Course to be closed

The Early bird discount period for the registration for the second batch of the course for “Certified Data Protection Professionals” has ended.

The registrations will however continue upto 28th March 2020.

Specific discounts offered by Cyber Law College to members of some associate organizations will continue as per their offer made directly to those members.

If you are members of any of the organizations namely,  CYSI, BSPIN, ISACA, they may contact naavi directly for the special discount offered to them.


Posted in Uncategorized | Leave a comment

Discussion on PDPA Bill at Chennai

FDPPI and Cysi successfully conducted a workshop in Chennai to discuss the forthcoming Personal Data Protection Bill 2019. 

Honourable Justice K.N. Basha, retired judge of the Madras High Court and sitting MP, honourable P.Wilson graced the occasion.

Naavi made a presentation on the salient features of the Bill, and the need for the Bill to be passed into an Act. He also discussed on some of the controversies surrounding the Bill.

A detailed question and answer session followed in which the participants sought and obtained various clarifications.

Mr Wilson who is also an advocate himself spoke and highlighted  the need to create awareness among the stake holders even before the Bill is passed so that any modifications can be accommodated.

Justice K.N. Basha congratulated CySi and FDPPI for taking up the initiative and suggested that the points arising out of the discussion may be shared with the Government.

During the occasion, the Certificates of Mr Durai Kannaiyan and Nikhil Ranjan Nayak, members of FDPPI who were recently conferred the recognition as “Certified Data Protection Professionals” by FDPPI after a course and evaluation examination were handed over by Justice K.N. Basha and Mr P. Wilson.


Posted in Uncategorized | Leave a comment

FDPPI and Cysi to conduct a workshop on PDPA at Chennai

Cyber Society of India (CySi)  and Foundation of Data Protection Professionals in India (FDPPI) have organzied a half day workshop on Personal Data Protection Act (Proposed law in India presently with the Parliamentary committee), on 14th March 2020.

The program is meant to provide basic information on the proposed law, how it impacts the industry.

Honourable Justice K.N.Basha, former judge of the Madras High Court and Mr P.Wilson, Honourable Member of Parliament (RS) are expected to grace the occassion.

FDPPI is also distributing the Certificates to the successful candidates from Chennai who passed out of the recent “Certified Data Protection Professional” course conducted by FDPPI, marking the beginning of a new era of trained Data Protection Professionals in India


Posted in Uncategorized | 2 Comments

Second Batch of Certification for DPOs to commence in April 2020

Cyber Law College, a training partner of FDPPI proposes to commence the second batch of the course on “Certified Data Protection Officer in India  (M-I)” as an online course on week ends starting from April 4th. The online classes will be conducted on Saturdays and Sundays at 11.00 am for a duration of 90 minutes. There will be 12 sessions which will end on May 10th.

The fee for FDPPI members would be Rs 9,500/- inclusive of the base course material.

Non members are required to pay Rs 14,500/- which is inclusive of the membership fee of Rs 5000/- for FDPPI.

Rs 500/- would be charged for those who opt to purchase the book “Personal Data Protection Act of India (PDPA 2020) by Naavi”. This is optional additional course material.

An early bird discount of Rs 1000/- would be available till 15th March 2020.

The total registrations are intended to be limited.

Payment links will be sent to those who register through e-mail to fdppi@fdppi.in . Kindly mark “Registration for Course” in the subject line and provide your name, contact details, option for purchase of book. In case any member would like to opt for a higher level of membership of FDPPI such as “Supporting Member”, it may also be indicated.

(Copy of the prospectus with application form available here)

Payment options:

For Members of FDPPI: 

(a) Course fee only for FDPPI members : Rs 9500/-  

(b) Cost of Book on PDPA ( if not already purchased):  500/-

(Total of (a)+(b) Rs 10,000/-)

For Non Members:

Membership fee: 

Rs 5000/- towards Foundation membership.

Option to become Supporting member at Rs 10000/- also available. (See here for details).

The total fee payable for non members(a)+(b)+(c) would therefore be:  Rs 15000/-

If the candidate has already purchased the book, they can opt out of the book and pay  Rs 14500/- 

Payment Link is available here::

P.S: For members of ISACA, the training partner has offered a discount of Rs 2000/- applicable upto 28th March 2020. Such members may pay only Rs 13000/- instead of Rs 15000/- and provide the membership reference in the application form.


Posted in Uncategorized | Leave a comment

FDPPI looks out for Training Partners for its Certification Program

FDPPI is the pioneer in India for development of skills required for being an efficient Data Protection Officer in India. FDPPI’s “Certified Data Protection Officer” program has already been rolled out with the first batch of the first module of the program having been completed on 23rd February 2020.

Cyber Law College, a division of Ujvala Consultants Pvt Ltd, which was the pioneer in introducing Cyber law courses in India in the year 2000 was also the pioneering training partner for FDPPI in conducting the first training program of the “FDPPI Certified DPO” (FCDPO-I) program.  It will continue to work on more of such programs either online or offline as well as working on other modules as envisaged for the multi model program.

FDPPI’s program for development of skilled DPOs in India, is conceived by Naavi with the vision of developing an alround DPO personality which includes “Knowledge with Attitude and Commitment”.

The motto of FDPPI is the development of “Knowledgeable, Efficient and  Ethical” eco system in India for Data Protection.  Accordingly the DPOs who will be the custodians of developing such a system have to be knowledgeable as well as have the right attitude required for a DPO without losing on the commitment to the requirements of the profession which includes the loyalty to the nation.

“Data Protection” is not simply understanding the clauses of the PDPA. Being aware of the law  is only the knowledge part.  The attitude part covers preparing the DPO to tackle challenges on three fronts namely being answerable to his boss within the organization which pays him the salary, the DPA which has a duty to protect the Privacy of Indian individuals and the Data Principals  who look at the DPO as the custodian of their Privacy Rights.

While most of the international certification programs end with the testing of knowledge of the law, FDPPI’s program as of now recognizes this as only different modules of the development of the awareness about the law.

The Module 1 (or Module-I) which was completed recently, covered the knowledge level of Indian law as at the present level along with a comparison with GDPR which is the other globally known law.

The future modules envisaged are

Module 2: (Module I+)

More on Indian law when the law is passed into an Act, a DPA is appointed and the DPA issues some basic regulatory guidelines.  This program will be only undertaken after the required developments take place. Hence we need to wait for some time to roll out this module.  (Eventually, Module I and I+ would be merged into one)

Module 3: (Module T)

This module will cover the technology related knowledge essential for an efficient DPO. This will cover the technologies required for compliance and will also discuss the challenges to data protection arising out of the new technologies particularly in the field of AI, Big Data, Encryption etc.

Module 4: (Module B)

This module will cover the behavioural aspects related to an efficient DPO. This will cover interpersonal relationship skills including Leadership, Decision Making, Motivation, Team Building, Counselling, Conflict resolution etc.

Module 5: (Module G):

This module will cover a study of at least 5 international data protection laws including an in-depth study of GDPR and Data Protection Laws applicable to USA along with some other relevant laws such as  Singapore, Australia as well as one optional country. This would be more an extension of the “awareness of law” from the Indian laws covered in Modules I and I+ to the global scenario

Module 6: (Module A)

This module will cover the skill requirements of a “Data Auditor” and follows the modules I, I+,T and B. This will encompass the system audit, information security audit and focus more on the harm audit, the DPIA and the annual data audit requirement under the law.

It is expected that in due course I and I+ will be merged into one and the other modules such as T, B, A and G will remain independent.

FDPPI realizes that the content in each of the individual module is dynamic and would evolve over time. For example a Module T conducted in 2021 would be far more advanced than Module T conducted in 2020. To some extent Module B may not change much. Module G is also dynamic because new laws may come in. The laws of Europe and USA could be a common factor while others could be changed as per the business requirements envisaged. Module A like Module B would also be more or less consistent except for the changes in technology  or law that may required to be factored in.

FDPPI has rolled out this plan of action and Naavi’s Cyber Law College will initially implement many of these modules as if it is an in-house implementation agency of these ideas. The objective is that when the Indian DPA is looking out for professional help for itself in designing the codes and practices and the conscientious industry players are getting ready in advance to be compliant before it is Compulsory, there will be a helping hand nearby with trained DPOs and Data Auditors.

At the same time, FDPPI wants to extend the partnership opportunities to other professional organizations who may have expertise in specific areas suitable for the different modules. They will work on a non exclusive basis to design and implement the training programs under these different modules. Some of the partners could work with regional focus and some could work pan India.

Towards this objective, FDPPI is open to receiving offers of “Training Partnership” with the motto… “Let’s together build Knowledge with Attitude and Commitment”.


Posted in Uncategorized | 2 Comments